clamav - Set up a local freshclam database server

Caveats

This describes a setup suitable for an internally facing server, not a publicly visible one, thus no attention is paid to security. This has been implemented on Debian bullseye but it should be similar on other distros / releases.

Why bother?

The folks of the clamav project object to multiple devices downloading direct from clamav, they are concerned about their bandwidth requirements. The number of devices seems to be 10. This manifests itself in warning messages in the log and a temporary ban from downloading. A typical log would look like this:-

Wed Sep  8 00:36:06 2021 -> WARNING: FreshClam previously received error code 429 from the ClamAV Content Delivery Network (CDN).
Wed Sep  8 00:36:06 2021 -> This means that you have been rate limited by the CDN.
Wed Sep  8 00:36:06 2021 ->  1. Run FreshClam no more than once an hour to check for updates.
Wed Sep  8 00:36:06 2021 ->     FreshClam should check DNS first to see if an update is needed.
Wed Sep  8 00:36:06 2021 ->  2. If you have more than 10 hosts on your network attempting to download,
Wed Sep  8 00:36:06 2021 ->     it is recommended that you set up a private mirror on your network using
Wed Sep  8 00:36:06 2021 ->     cvdupdate (https://pypi.org/project/cvdupdate/) to save bandwidth on the
Wed Sep  8 00:36:06 2021 ->     CDN and your own network.
Wed Sep  8 00:36:06 2021 ->  3. Please do not open a ticket asking for an exemption from the rate limit,
Wed Sep  8 00:36:06 2021 ->     it will not be granted.
Wed Sep  8 00:36:06 2021 -> WARNING: You are still on cool-down until after: 2021-09-08 01:32:39

The solution is to set up a local server.

What is not in this post

Instructions on installing clamav.

Instructions on installing apache.

Prerequisites

The setup described here requires a server running apache with freshclam installed.

Design

The aim is:-

To get freshclam to download to the /srv/cache/clamav directory on the server.
For the apache server to serve those databases at hermes.mgent.home/clamavcache/
For the clients to retrieve databases from hermes.mgent.home/clamavcache/

Substitute your own locations for those above.

Server setup

Two changes must be made to the freshclam configuration. Use your editor of choice, this shows vim.

Edit the freshclam configuration file

Then ensure the two highlighted lines are as shown.

Make the changes to the server's freshclam configuration file.

Now we have to setup apache to serve the databases. I have a simple apache setup on this server so it is enough to add the changes to the default site.

Edit the default apache site.

Now we have to add a block defining an alias and access permissions to the database directory. Add the highlighted block.

Add the alias block to the apache dafult site.

And lastly for apache, restart the service.

Restart apache.

At least with Debian bullseye, freshclam is restricted by apparmor which would prevent if from writing to /srv/cache/clamav, so we have to edit the apparmor profile:-

Edit the freshclam apparmor profile.

Now add the lines highlighted near the equivalent /var/lib/clamav lines.

Add the new cache directory to the freshclam apparmor profile.

Client setup

The client setup consists solely of 2 line changes to the freshclam configuration file.

Edit the client freshclam configuration file.

Now change / add the two highlighted lines.

Change the client freshclam configuration file.

References

The clamav web site can be found at https://www.clamav.net/

My Projects

Software and Debian packaging sources can be found on GitHub: https://github.com/m-grant-prg
Debian, Fedora, openSUSE and Raspbian packages can be found on the openSUSE Build Service: https://build.opensuse.org/project/show/home:m-grant-prg
Ubuntu packages can be found in my PPA on LaunchPad: https://code.launchpad.net/~m-grant-prg/+archive/ubuntu/utils
The entry point to my Ubuntu packages on LaunchPad: https://launchpad.net/~m-grant-prg